9 Essential Requirements for Web 2.0 Security

Transcription

1 9 Essential Requirements for Web 2.0 Security Enabling Safe, Productive Access to Social Media and Other Web 2.0 Applications

2 Table of Contents Executive Summary 3 Introduction 3 Web 2.0 Security Concerns 4 Inbound threats 4 But we are spending billions worldwide on security! 5 Signatures fall short 5 Encryption creates a blind spot 6 Categories are superficial 6 Outbound Threats 6 Solving the Web 2.0 Security Dilemma 6 The Solution: Expanded Requirements for Security, Control, and Performance 7 Security 7 Control 7 Performance 7 Requirement 1: Global approach 7 Requirement 2: Local approach 8 Requirement 3: Bidirectional and multiprotocol 9 Requirement 4: Throughout the enterprise 9 Requirement 5: Granular application control features 9 Requirement 6: Multiprotocol data loss prevention 10 Requirement 7: Flexible deployment options 10 Requirement 8: Multifunction 10 Requirement 9: Manageable 11 Conclusion 11 About McAfee, Inc. 11 Appendix A: Requirements Checklist for Web Gateway Security 12

3 Executive Summary In a marked changed from as recently as two years ago, the Forrester Consulting study Closing the Gap with Next Generation Web Gateways finds that Web 2.0 applications such as social networking are now widely used by enterprises worldwide. 1 9 Critical Web Security Metrics Security Global approach Local approach Bidirectional and multiprotocol Throughout the enterprise Control Granular application control features Multiprotocol data loss prevention Performance Flexible deployment Multifunction Manageable These cloud based applications lower costs, increase productivity, and contribute to work/life balance for employees. They also place stress on the security, control, and performance of legacy web infrastructure. Many enterprises blithely count on aging web and messaging security solutions that simply do not provide the protection needed for today s dynamic web environment. How is your web infrastructure holding up? Are you enabling and controlling access to applications that satisfy your business users and business units while complying with your security policy needs? Is your web gateway securing access to those applications? Is confidential data being protected? Are you prioritizing bandwidth for the best business benefit? Are your mobile users both productive and protected? Are you secured against today s targeted attacks? Forrester s latest research shows three requirements driving demand for next-generation web security gateways: Rapid adoption of Web 2.0 technologies An increase in the cost of associated malware threats An increasingly mobile and distributed workforce 2 Both to enable safe use of social networking and address Web 2.0 threats effectively, companies need to augment traditional security best practices with a new generation of multilayered security. Effective protection today demands both inbound and outbound inspection and reputation-based filtering that performs multiple web security functions, such as anti-malware, URL filtering, spyware, and data loss prevention, within a single system. Dissolving perimeters, evolving workplaces, and the adoption of the cloud require flexible deployment options: appliances, software, and cloud-based. And all workers need protection, no matter what device they use or what location they call their office. This paper draws on customer experience, threat data, and third-party sources to characterize new Web 2.0 threats and explain why most security solutions in place today are ineffective. We then propose three key organizational principles for assessing and enhancing web security security, control, and performance and nine functional requirements that enable these principles. These new capabilities (and the RFP checklist in the appendix) will help you confidently allow safe, productive access to social media and other Web 2.0 applications. Introduction Web 2.0 applications expose organizations to both inbound and outbound security threats that overwhelm the legacy security measures originally designed for a simpler, less interactive web environment. A new generation of security threats is bringing malicious attacks led by highly organized cybercriminals with sophisticated tools. They target specific organizations to disrupt business, steal sensitive information, and profit financially. Today s business model relies on the web to provide inbound access for remote employees, partners, and customers from any location, anywhere in the world. Internal employees also reach out beyond the edge of the corporate network to access hosted applications, collaborate, and gather information across the Internet. While web-based communications are both inbound and outbound, so too are related threats. 1. Closing the Gap With Next Generation Web Gateways, Forrester Consulting, July 2010, commissioned by McAfee 2. Closing the Gap With Next Generation Web Gateways, Forrester Consulting, July 2010, commissioned by McAfee 3

4 As Web 2.0 applications like social networking have become an integral part of legitimate business operations, they have become integral to Internet-based criminal operations. A recent threats report noted that while the 2008 Koobface malware continues to plague Facebook users, it is now also used with enterprise-friendly social networking sites, such as Twitter. 3 As web-enabled business applications have moved outside the firewall and into the cloud, protecting the communication between the worker and the application has become a web gateway problem, not a firewall problem. The modern worker s requirement to use their device of choice not just a managed laptop, but a virtualized thin client, personal smartphone, or Internet kiosk means that endpoint-only security is also not sufficient. Effective bidirectional security must ensure malware does not get in and sensitive and regulated data does not get out. Naturally, this challenge must be addressed without inhibiting employee productivity through overly restrictive access. Read on as we take a closer look at today s business-class web threats and why legacy web security solutions offer limited protection. We will then outline nine requirements for a new, proactive security paradigm to help you secure Web 2.0 applications, protecting your enterprise and the employees that use these applications on a daily basis. How do attackers leverage social media sites? Spam: Some sites include addresses and share them based on degrees of separation Spear-phishing/targeted social networking/ s: These link to sites with unpatched vulnerabilities. The ability to send a message on a social networking service is similar to sending an , but with far less spam or phishing protection. Advanced persistent threats: Everyone s favorite (or least favorite) buzzword of the year. As social networking exposes private information job history, friends, birthdays, etc. persistent attackers may attempt to capitalize on that information. Botnet control: Using covert channels From the McAfee white paper Social Networking Apps Pose Surprising Security Challenges, Anthony Bettini, McAfee Labs Web 2.0 Security Concerns Inbound threats The press is full of examples of organizations being compromised via the Web. The recent Aurora attack against Google and other enterprises 4 is one of many examples of the use of the browser as the entry point for malware into the enterprise. Malware developers are sophisticated software developers working for criminal enterprises. They design their software for two main reasons. First, malware can compromise a host, creating a zombie that participates in a denial-of-service or other botnet that can disrupt operations. Second, the malware can steal valuable, sensitive information from the victim: keystrokes, passwords, and intellectual property. In addition, these sophisticated developers have easy access to low cost coding tools, with simple point and click interfaces, lowering the skill level required. Many of these threats are highly refined, using not only the web (HTTP) protocol, but also encryption (HTTPS) and (SMTP) protocols to pull off their attacks. All of the popular social networking sites have been leveraged by attackers: Twitter, 5 Facebook, 6 and LinkedIn Twitter Hack Raises Flags on Security, NY Times, July 15, 2009, 6. Facebook hit by another version of Koobface worm, USA Today, April 8, 2010, 7. Loudmouth workers leaking data through social networking sites, The Register, April 28,

5 The publicity around such attacks and the resulting damage and data loss have not gone unnoticed. Enterprise security leaders are aware of the security risks inherent in the adoption of Web 2.0 technologies and applications. Three Forrester studies found that data leaks and malware are the top two concerns, and concern is growing. 8 How concerned are you about these threats? 2008 survey survey 10 Trending Malware infection 59% 74% h Data leaks 58% 63% h Comparing two Forrester Research studies two years apart, web-borne risks present an increasing concern to enterprise IT managers. Furthermore, the 2010 Forrester study showed that organizations with distributed employees were almost twice as likely to have to deal with malware than those with workers located in a central office. A mobile, remote workforce exacerbates the risk. 16%.5%.25%.25% 1% 5% But we are spending billions worldwide on security! Through the years, businesses have addressed the majority of security issues in underlying Web 1.0 protocols. Solutions like signature-based anti-virus and category-based web filtering provide very effective protection against early Web 1.0 threats. Yet the attacks continue and security managers are rightfully concerned. 30% 47% Today s layering of new next-generation programming languages and programming tools on top of the underlying protocols in Web 2.0 has given those with malicious intent a whole new set of technologies to exploit. Signature-based solutions and other Web 1.0 security practices continue to be a necessary part of the security infrastructure, but they are no longer enough by themselves. HTML Documents (incl. embedded scripts) Windows Executables Standalone JavaScript Graphics (JPEG, WMF, GIF) Stylesheets Java Applets Documents (MS Office and PDF) Animated Cursor Icons Malware increasingly uses signatureproof methods to deliver payloads. In one McAfee Web Gateway deployment, only 30 percent of the malware stopped by the gateway was a windows executable for which signatures were effective. Most of the remaining malware was non executable: JPEG files, PDF documents, and scripts. This modern malware was successfully stopped by proactive, behavior-based malware scanning that does not rely solely on signatures. Signatures fall short Targeted attacks are increasingly brief in duration and small in the number of instances sent out. Since most companies have deployed signature-based protections that look for known malware and executables, targeted attacks increasingly use other methods that can only be caught with behavioral tools. For instance, a malicious executable, such as a Trojan or worm, might be disguised as a GIF or JPEG file. This unique piece of content cannot be recognized and therefore will not be stopped by a signature, even if the signature-based solution is aware of the malware that is used. Operation Aurora is an example of this type of attack. 11 Since an attack can end in just a few hours, data may have already been stolen before anyone detects an attack. Even for malware that can be tracked with signatures eventually, there is a window of cybercrime profit opportunity between the time a threat is launched and the eventual distribution of a signature. Malware enters organizations through paths other than files. Users can be educated not to click on suspicious attachments, but malicious websites may contain active code that launches automatically as soon as the web page is viewed. Today, Facebook profile pictures are being embedded with malware. 12 Can we teach a user which Facebook pages are trustworthy and which are not? Unfortunately, we cannot, because the risk lies within pages and their components, not at the page level. 8. Internet Risk Management in the Web 2.0 World, Forrester Consulting, September 2007; Next Generation Secure Web Gateways, Trends and Requirements, Forrester Consulting, December 2008 Closing the Gap With Next Generation Web Gateways, Forrester Consulting, July Next Generation Secure Web Gateways, Trends and Requirements, Forrester Consulting, December Closing the Gap With Next Generation Web Gateways, Forrester Consulting, July 2010, commissioned by McAfee McAfee Threats Report: Second Quarter 2010, McAfee Labs, p. 14 5

6 Encryption creates a blind spot Malicious attacks are also now utilizing the very technologies that were created to provide security. For example, encrypted HTTP (HTTPS) was created to ensure that financial data was not transmitted in the clear on the Internet. However, attackers now also use this secure connection to control operations or transmit malware, knowing HTTPS traffic will go uninspected by many legacy firewalls and anti-virus solutions. 13 We refer to this portion of network traffic as the SSL blind spot. Operation Aurora relied extensively on encrypted communication back to the command and control center. Year after year, despite the proliferation of anti-virus software, these cost figures do not let up. The reality is that web-based malware is a whole new class of threats, different from traditional computer viruses. It requires different analysis and detection methods, which are still nascent for many web filtering solutions. Forrester Research 14 Categories are superficial In the past, companies used categories to filter out groups of sites that were considered inappropriate or risky. Category-based URL filtering vendors would scan a given URL, characterize its content, and classify it. Later, the enterprise would set category-based policies that suited its risk profile. These categorized databases of URL entries are updated only a few times per day, leaving opportunity for criminals to benefit from malware placed on legitimate sites for just a few hours. Many use distributed networks of bots to hide their content. Categories can help with appropriate use, but offer little protection against agile, determined criminals. Is it any wonder then that organizations collectively spend billions each year on security software, yet are not adequately protected? Outbound Threats In addition to inbound threats, there are also outbound data leakage risks that jeopardize critical and sensitive information vital to an organization s success. Attackers are not always outsiders in faraway countries. Data thieves, industrial spies, and cyber-vandals can, and often do, operate within a company s own boundaries. Moreover, outbound threats are not always the result of an intentional attack by an insider; sometimes they occur when an employee unintentionally opens a back door by downloading a rogue application, one that has not been approved by IT. Outbound data loss is a concern for two reasons: the risk of intellectual property loss and the need to comply with regulatory mandates and industry requirements, including SOX, HIPAA/HITECH, GLBA, PCI, and regional privacy laws. Many organizations imagine that simply filtering their provides sufficient protection. While filtering is a key factor in a data loss prevention strategy, a multiprotocol approach to data security where security administrators also pay attention to web protocols is best. Blogs, wikis, social networking sites, and personal (which is sometimes encrypted) are all potential data loss points for the enterprise. As a result, web (HTTP), encrypted web (HTTPS), instant messaging (IM), and file transfer (FTP) protocols must all be monitored. Again, with Operation Aurora, one of the goals of the attack was access to intellectual property, specifically software code repositories. Solving the Web 2.0 Security Dilemma Given the security gap between legacy solutions and modern threats, what should organizations do to provide strong security in our rapidly evolving web world? Forrester s Recommendations The 2010 Forrester study updates the requirements for a next generation secure web gateway. Those needs include: Real time anti-malware detection Data leak protection Web gateway deployment choice: on premise appliances, in-the-cloud infrastructure, or a hybrid mix of both Quality of service application control and traffic management Next Generation Secure Web Gateways, Trends and Requirements, Forrester Consulting, December

7 The report goes further to recommend support for mobile filtering as more and more workers access the Internet and their corporate networks with laptops, smartphones, and tablets, including iphones, Androids, and ipads, causing significant exposure to malware. The Solution: Expanded Requirements for Security, Control, and Performance In order to enable a safe, productive work environment, today s web infrastructure must deliver robust features in three key areas: security, control, and performance. All of the Forrester design recommendations in the current study can be met by breaking down the security approach in these three areas, which in turn yield nine requirements. Security Web security must be global, local, bidirectional, multiprotocol, and work despite users connecting to the Internet and then connecting to the enterprise network. Global approach Deploy proactive, real-time, reputation-based URL filtering, powered by in-the-cloud global threat intelligence Local approach Deploy anti-malware protection utilizing real-time, local intent-based analysis of code Bi-directional and multiprotocol Implement bi-directional filtering at the gateway for all web traffic, including web protocols such as FTP, HTTP, HTTPS, IM, and streaming media Throughout the enterprise Protect from the corporate network to the branch office to mobile users on laptops, smartphones, or tablets, safeguarding against malware collected directly from the Internet Control Control of application usage must be granular, down to the user level when necessary, and be part of an organization s data loss prevention and compliance strategy. Granular application control features Move beyond a binary block or allow approach to provide selective, policy-based access to Web 2.0 sites, such as blocking a specific social networking game (such as Mafia Wars) while allowing a general category called games Multiprotocol data loss prevention Monitor for and protect against data leaks on all web protocols Performance Solution performance must be flexible and scalable to meet the changing needs of the business, especially growth in the size of the business and its web use. Flexible deployment Provide options that meet strategic needs: on site, in the cloud, or hybrid Multifunction Reduce cost and simplify management by consolidating legacy point applications into an integrated solution Manageable Use comprehensive access, management, and reporting tools Let us look at these nine requirements more closely. Requirement 1: Global approach Deploy proactive, real-time, reputation-based URL filtering, powered by in the cloud global threat intelligence Because legacy URL filtering solutions are only as accurate as their most recent update, enterprises need extra help determining which sites are risky. What is needed is a reputation system that assigns global reputations to URLs and IP addresses, working alongside categorized databases to provide an additional layer of protection far stronger than URL filtering alone. A sophisticated reputation system can determine the risk associated with receiving data from a particular website. This reputation can be used in conjunction with categories in an organization s security policy, providing the ability to make appropriate decisions based on both category and security reputation 7

8 information. A reputation-based URL filtering solution needs to be global in scope and internationalized to handle websites in any language. Because malware attacks are so targeted and short in duration, the reputation system must be continually updated. The web security solution must have the ability to perform real time queries in the cloud so that it is not relying solely on local databases for the latest threat intelligence. It is critical that the reputation system provide both web and messaging reputation. Since malicious attacks are often based on multiple protocols, the reputation system must be aware of both web- and -borne threats. For example, a new domain without content cannot be categorized. However, if it is associated with IP addresses that have a history of evil sending spam, phishing attacks, or other malicious s then the web reputation for this uncategorized domain can be determined based on its history. The new site s dubious reputation can be used to protect users who try to access the domain. Requirement 2: Local approach Deploy anti-malware protection utilizing real-time, local intent-based analysis of code Enterprises should deploy intent-based anti-malware at the web gateway. These solutions include a signature-based anti-virus engine to stop known threats, and, more importantly, address the problems illustrated in the Forrester study: Web malware today is a far cry from traditional viruses. It is often obfuscated, embedded in live Web 2.0 content, and morphs frequently. Signature-based antivirus detection has been proven ineffective time and again. These new forms of malware can even evade simple behavior- or heuristics-based detection. A next-generation secure Web gateway should include in-depth, real-time detection of malware, which includes signature, reputation, behavior, heuristics, static analysis, and execution emulation. 15 Effective local malware solutions utilize intent-based analysis to examine code that will execute in the browser. By analyzing the code at the gateway a gateway located physically at the enterprise or in the cloud as a hosted service malware can be detected and blocked before it reaches the endpoint or other networked assets. Gateway-based malware protection should: Determine the actual file type based on a magic number or checksum analysis Decrypt and de-obfuscate to safeguard against files that are disguised Disallow media types that are potentially hazardous (like unknown ActiveX) Check active code for valid digital signatures Analyze behavior to determine if the malware will act in a known manner Analyze scripts to determine if they are trying to exploit vulnerabilities on the client Neutralize attacks as needed It is also critical that a gateway anti-malware engine not only protect that enterprise s network but also notify a global threat intelligence (GTI) system whenever it finds malware for which no signature exists. This notification permits all customers participating in the GTI ecosystem to benefit from the latest reputation information for evolving sites and domains. These first two requirements form the core of the approach to web security needed for today s threat environment. Enterprises cannot rely on one approach alone. The local and global approaches working together reinforce each other for security much stronger than either technique acting on its own Closing the Gap With Next Generation Web Gateways, Forrester Consulting, July For more detailed information on how to stop web-borne malware, please see papers/5475wp_webw_antimal_0109_003.pdf 8

9 Requirement 3: Bidirectional and multiprotocol Implement bidirectional filtering at the gateway for all web traffic, including web protocols such as FTP, HTTP, HTTPS, IM, and streaming media Applications that communicate over encrypted and unencrypted protocols need to be controlled in both directions. This includes controlling access to websites, blogs, wikis, IM, streaming media, and other applications, as well as monitoring the connections for malware coming in and sensitive data going out. For example, Instant Messaging applications need to be proxied. Proxies allow granular control over who uses an application and what they can do with it, such as send links, receive links, or send files, and lets IT filter outbound content for sensitive data. These controls are as important as filtering what is posted or received via social networking sites (including Facebook and Twitter), or blogs and wikis. With a high percentage of corporate web traffic now being encrypted (HTTPS), it is imperative to be able to selectively decrypt this content at the gateway, providing security while respecting privacy for access to sensitive sites, such as personal finance or healthcare sites. Requirement 4: Throughout the enterprise Protect from the corporate network to the branch office to mobile users on laptops, smartphones, or tablets, safeguarding against malware collected directly from the Internet Study your employees that connect to the Internet and then connect to your network. Laptop users connecting to the public internet risk infection. Are you filtering their access even when not on your network? More and more organizations wish to allow their employees to use personally owned devices (like Apple laptops, iphones, and ipads) to connect to their network and applications. Your web security should allow you to filter their access and prevent malware from entering the enterprise network. Requirement 5: Granular application control features Move beyond a binary block or allow approach to provide selective, policy-based access to Web 2.0 sites, such as blocking a specific social networking game (such as Mafia Wars) while allowing a general category called games Legacy Web 1.0 security solutions use a binary block or allow approach to web access. However, today s enterprises need to have bidirectional filtering that controls what a user can do on Web 2.0 sites and also protects against data loss. Within web security gateways, controlling what a user can do on a site is known as application control. Because Web 2.0 sites are bidirectional in nature users can both access and contribute content data loss prevention needs to be part of this control as well. In addition to allowing sensitive content to escape, user contributed content is a common insertion point for malware. Finally, many of these sites contain bandwidth-hogging streaming media. All of these reasons mandate that a web gateway exert control over which users can access these sites based on who they are and the time of day. When access is allowed, the gateway must control what the users can do when they get to the site. It is important to have granular control over who uses the application and how it is used. We can no longer just block or allow YouTube or Facebook access; we need to enable or disable specific functionality as needed. For example, you might want employee access to YouTube videos for training purposes (for example McAfee has its own YouTube channel). However, you probably do not want your employees wasting time and bandwidth viewing non-business videos. Similarly, Facebook is now widely used in marketing and many companies allow employee access in the name of work/life balance. But do we want employees playing potentially inappropriate games like Mafia Wars on Facebook? Probably not. Application control features can provide safe access to a social networking site. Control should be fine-grained enough to block categories of features, and even specific undesirable applications, and have the option to work in conjunction with data loss protection 9

10 to guard important data. Furthermore, this degree of application control should be provided at the enterprise, group, or even user level and take effect based on time of day. Requirement 6: Multiprotocol data loss prevention Monitor for and protect against data leaks on all web protocols Data loss protection on content exiting via either the web or requires five steps. From defining corporate and regulatory policies to detecting and enforcing them, to proving compliance to auditors, this process is the surest way to ensure that no inappropriate information ever leaves your gateway. The five steps to achieve compliance are Discover and learn Find all your sensitive data wherever it may be Assess risk Ensure secure data handling procedures are in place Define effective policies Create policies to protect data and test them for effectiveness Apply controls Restrict access to authorized people and limit transmission Monitor, report and audit Ensure successful data security through alerting and incident management For data in motion, data loss prevention should be provided over encrypted and unencrypted protocols for both messaging and web traffic. As with application control, this includes managing access to websites, social networking sites, blogs, wikis, IM, P2P, and other applications, as well as monitoring connections for data leakage. And as with application control, it is imperative to be able to selectively decrypt encrypted traffic at the gateway to provide security while respecting privacy for access to sensitive sites. Requirement 7: Flexible deployment options Provide options that match your strategic needs: on site, in the cloud or a hybrid mix of both With employees accessing your network and the Internet from anywhere in the world, not just from the confines of your network, the solution must be flexible. It should secure headquarters, remote offices, and home offices, as well as the hotels, airports and coffee shops where mobile workers expose their laptops and other mobile devices to attack. This coverage requires solutions with a range of implementation footprints. Some enterprises want equipment to live on their premises. You should be able to choose from appliances, blade servers, and software deployment options (including the choice of virtualization to leverage existing hardware investments). Others will want to choose the cloud and provide web security via Software as a Service (SaaS). Yet others desire a hybrid approach that mixes appliances at major offices and SaaS for remote offices and home office workers. The Forrester study predicts a growing interest in moving to cloud based and hybrid deployments. 17 Requirement 8: Multifunction Reduce cost and simplify management by consolidating legacy point applications into an integrated solution To cost-effectively manage risk, today s web gateway requires a single-solution that houses the security and caching engines in the same application, tightly integrated. In addition to having fewer vendors to deal with, you get added protection by replacing point solutions with integrated, multifunction solutions that provide best-of-breed functionality. Since the cache can be security-aware, malware detection can be integrated with reputation-based filtering, and so on. Solutions that manage both inbound and outbound risk reduce costs and increase security by providing additional opportunities for consolidation and efficiency. 17. Closing the Gap With Next Generation Web Gateways, Forrester Consulting, July

11 McAfee Products and Technologies for Enabling Safe, Productive Web 2.0 Access Building on the principles of security, control, and performance, McAfee is actively investing in its web gateway security solutions such as McAfee Web Gateway and McAfee SaaS Web Protection, and its data protection products, including McAfee Data Loss Prevention. Our goal is to provide the industry s most complete protection against threats introduced through use of today s web applications. McAfee web security provides the global and local security approach required in today s highly interactive web world, where malicious attacks are increasingly sophisticated, targeted, and designed to take full advantage of social networking sites. Through proactive reputation- and intent-based protection, we meet the needs of today s evolving threatscape. McAfee web security consolidates the functionality of point products to reduce total cost of ownership. You can deploy them where and how you need them: on your premises in the form of appliances, blade servers, or virtualized systems, or through the cloud. McAfee Data Loss Prevention solutions integrate with McAfee web and security for complete data protection. More and more enterprises are choosing McAfee. Gartner has positioned McAfee in the Leaders quadrant of their Magic Quadrant for Web Gateway 18 and Magic Quadrant for Content-Aware Data Loss Protection. 19 McAfee is also positioned as a Leader in the Forrester Wave for Web Filtering. 20 McAfee Web Gateway also has been number one in Web Gateway Appliance Market share for two years in a row. 21 Learn more at Requirement 9: Manageable Use comprehensive access, management, and reporting tools Since constant web access is so critical to business today, enterprises should deploy solutions that provide at-a-glance reporting on the status and health of their web gateways. They also need both real-time and forensic reporting that allows them to drill down into problems for remediation and post-event analysis. Robust and extensible reporting is the cornerstone of your ability to understand risk, refine policy, and measure compliance. Conclusion With more than 90 percent of organizations already reporting business value from Web 2.0 adoption, these technologies and applications are here to stay. However, Web 2.0 adoption and distributed, dynamic business models have created new security risks for organizations. Previous generations of web security solutions that depended on signatures and categorization have proven too primitive for managing these challenges. Organizations must deploy a new generation of gateway-based solutions to counter these threats. These new solutions must use reputation- and intent-based techniques to thwart the short-lived, targeted attacks that are becoming the new cybercrime standard. Today s we gateways must offer stronger, more granular control over applications and usage. And they must meet the operational demands of highperformance organizations. The nine requirements discussed here should form the selection criteria for commercial solutions that can allow you to enable safe, productive access to all the potential of Web 2.0. Use the checklist in Appendix A as you determine your partner for next-generation web gateway security. About McAfee, Inc. McAfee, Inc., headquartered in Santa Clara, California, is the world s largest dedicated security technology company. McAfee is relentlessly committed to tackling the world s toughest security challenges. The company delivers proactive and proven solutions and services that help secure systems and networks around the world, allowing users to safely connect to the Internet, browse, and shop the web more securely. Backed by an award-winning research team, McAfee creates innovative products that empower home users, businesses, the public sector, and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security Peter Firstbrook and Lawrence Orans, Magic Quadrant for Secure Web Gateways, Gartner, Inc., Peter Firstbrook, Magic Quadrant for Content-Aware Data Loss Protection, Gartner, Inc., 02 June Wang, Chenxi, Forrester Wave for Web, May IDC, Worldwide Web Security Forecast and 2008 Vendor Shares: It s All About Web 2.0 YouTwitFace, Doc # , August

12 Appendix A: Requirements Checklist for Web Gateway Security Requirement Proxy Explicit Proxy Transparent Proxy WCCP ICAP Caching Integrated HA and Load Balancing Directory Integration Active Directory edirectory LDAP Agentless NTLM Kerberos Supported Protocols HTTP HTTPS FTP IM Streaming media Deployment Options Appliance Software Blade Server SaaS Hybrid Web Application Controls Outbound URL filtering McAfee Web Gateway Security Vendor B Vendor C URL category filtering URL Reputation filtering Geo Location Filtering Botnet and spyware phone home protection Dynamically review uncategorized sites Inbound Inbound signature-based AV scanning Inbound signature-based AV scanning with cloud signature look up Non signature based gateway Anti-malware Block proxy anonymizer services Scans SSL traffic Certificate verification Enforce SSL spec compliance Media filtering, McAfee Antivirus, McAfee Global Threat Intelligence file reputation #1 rated Web Gateway anti-malware 12

13 Requirement Data Loss Prevention Application Control Features Fine-grained control of applications within social networking User-level control of access User-level control of posting McAfee Web Gateway Security Vendor B Vendor C, integrates with McAfee Data Loss Prevention McAfee, Inc Freedom Circle Santa Clara, CA McAfee, the McAfee logo, McAfee Labs, McAfee Data Loss Prevention, McAfee Global Threat Intelligence, McAfee Web Gateway, and McAfee SaaS Web Protection are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided only for information and are subject to change without notice. They are provided without warranty of any kind, expressed or implied. Copyright 2010 McAfee, Inc wp_web2.0-requirements_0910_ETMG